FEMITBOT, a large-scale scam network, is using Telegram’s Mini App feature to run fake crypto platforms, impersonate well-known brands, and send out harmful Android malware.
According to CTM360, a cybersecurity firm, the scam operation uses Telegram bots and embedded Mini Apps to create phishing interfaces that load directly in Telegram’s built-in browser.
The scam pages look more realistic than a regular phishing link sent by email or SMS because the victims never leave the messaging app.
FEMITBOT uses Telegram to find victims
Telegram Mini Apps are small web apps that work inside Telegram’s own WebView.
They let users make payments, access accounts, and use interactive tools without having to install a separate app or browser.
The people who run FEMITBOT have turned this ease of use into a weapon.
When a victim clicks “Start” on one of the fake bots, a Mini App opens, displaying a phishing page that appears to be a crypto investment dashboard.
The pages show fake account balances and earnings, and they often have countdown timers or limited-time offers that are meant to make people feel like they need to act quickly.
The financial extraction takes place during the withdrawal process.
People who try to cash out their fake winnings are told they have to first deposit real money or do referral tasks. This is a common way for advance-fee and pig-butchering scams to work.
FEMITBOT impersonates brands at scale
Security researchers call the architecture of FEMITBOT a “modular, template-driven” one.
The shared backend lets operators change the branding, languages, and visual themes of campaigns while keeping the same infrastructure.
Researchers at CTM360 confirmed the link by finding a common API response string, “Welcome to join the FEMITBOT platform,” that was sent back by several phishing domains.
Some of the fake brands were from the crypto world, including Bitget, OKX, Binance, and MoonPay.
The wide range of impersonation suggests that the operation is meant to reach a lot of people worldwide.
The campaigns also use tracking that is similar to advertising.
“The observed infrastructure integrates conversion tracking mechanisms from Meta Platforms(Facebook/Instagram) and TikTok within its operations,” wrote researchers from CTM360.
Some FEMITBOT Mini Apps use Meta and TikTok tracking pixels to keep an eye on what users do, figure out how many people convert, and improve the performance of their campaigns, using techniques straight from real digital marketing.
Scammers distribute malware through fake APKs
Some FEMITBOT Mini Apps not only commit financial fraud, but they also spread Android malware that looks like real apps.
Security researchers found APK files that pretended to be from brands like Netflix, BBC, NVIDIA, CineTV, Coreweave, and Claro.
The firm said that the APK files are hosted on the same domain as the campaign’s API. This makes sure that the TLS certificates are valid and keeps browser security warnings from showing up, which could alert victims.
Users are asked to sideload the APK files, open links in the app’s browser, or install progressive web apps that look like real software.
Examples of malicious APK files. Source: CTM350.
FEMITBOT’s malware component is most dangerous for people who use Android.
One of the most common ways for mobile malware to get onto your phone is by sideloading APK files from outside the Google Play Store.
FEMITBOT’s use of matching TLS certificates makes its downloads harder to tell apart from real files at a glance.
If a Telegram bot tells users to invest in crypto, shows unrealistic returns, or requires them to deposit money before they can withdraw funds, they should be suspicious.
Countdown timers, urgency language, and referral requirements are all signs of advance-fee fraud.